What's inside

Did you know that it takes just 10 minutes to hack a password of 6 lowercase letters?

To most small business owners, being hacked is something they would rather not think about or, even worse, is one they believe could not happen to them. Well, it could – and it does – happen on a regular basis and that is precisely why you need to arm yourself with knowledge that will help you make better decisions around your online security.

This guide helps business owners understand the threat of hacking, the motives behind it, what is at risk and how to combat these kinds of attacks.

Excerpt

It doesn’t take long to find a site or network with poor security. Hackers don’t spend days or weeks trawling the Internet looking for sites to hack, they create code to do that for them which ceaselessly scans for weaknesses, flaws and open doors.

About Author

Mike Foreman is enthusiastic about the world of small businesses and is AVG’s General Manager of SMB. He is also a former IT reseller and blogs about topical SMB issues at http://blogs.avg.com

From spear phishing to social engineering and Trojan horses - the ways in which a computer or network can be hacked have some rather obscure and technical names. But what do these dramatic-sounding threats really mean to a small business, and how likely are they to occur?

The first step in tackling a threat is to understand it. This guide will demystify global hacking phenomena and explain how local and small businesses can inform and prepare themselves.

Look out!

The Internet is growing at a staggering rate. Devices proliferate, user numbers continue to surge and the means of connecting devices, data, applications with the users grow ever more complex.

With accelerating levels of technological integration comes the opportunity to live and work in new and exciting ways. But with that change come certain risks. The more means we have to be connected, the more devices we use, the more windows of opportunity there are for hackers.

Many small businesses assume a hacker won’t be interested in their data, misguidedly believing that they’d be more interested in hacking larger corporations.

Sadly, the evidence shows otherwise. Hackers target 30,000 SMB websites per day to spread malware. So what can businesses do to prevent those attacks or at least lessen their impact?

The answers are simpler than you might think. Surprisingly, the number one solution to reduce the chance of being hacked is to use a strong password! But that’s not all, there are plenty more protective measures that you and your business can undertake...

Hackers are mysterious and secretive and their motivations vary. Just as the Internet has opened up new frontiers for trade, so have hackers from all corners of the globe found ways to identify new international targets.

Don’t be fooled by the "geek" label.

Who are they?

Anonymity is the primary modus operandi, no matter what the nationality of the hacker. Hackers in, say, Brazil, can anonymously run phishing operations targeting web users in Spain, the UK and the US as well as targeting their compatriots. And they have done so. Cybercrime is so hard to police because of this lack of geographical restriction.

Whatever else can be said about them, hackers are highly skilled and technically competent people to say the least - don’t be fooled by the “geek” label; the vast majority of web users would not have the slightest idea how to hack into, say, NASA or even a standard e-commerce system. And while hackers have many and varied reasons for doing what they do, it’s not quite so hard to understand who they target and why.

Larger corporates have more financial resource to invest in defences. Hackers are well aware of this. They then logically target the weaker links in the chain - the suppliers, so often an SMB.

The data that these SMB suppliers process is often extremely valuable, both to the SMB and to the client they are supplying. Hackers know this too.

Anonymously, and from international bases, hackers produce programs and software designed to scour the web hunting for those weak links, wherever they may be.

Hackers don’t just want purely financial information, personal profiling data is highly valuable to them as is corporate data relating to new product research and development.

The evidence is clear. Regardless of company size and regardless of the hacker’s objective, the main reason so many smaller businesses are still hacked so easily is because of the low level security measures they have mistakenly in place. An attitude shift is required.

All too easy

What is not so clear is why businesses are still leaving their keys in the ignition. For example, the most popular password in 2012 was Password! Likewise, when a business owner has a mentality of “I’m a small business, hackers won’t be interested in me” they may not bother with higher levels of security. They are therefore letting their guard down on at least two counts, in terms of personal protection and that of the network.

It doesn’t take long to find a site or network with poor security either. Hackers don’t spend days or weeks trawling the Internet looking for sites to hack, they create code to do that for them which ceaselessly scans for weaknesses, flaws and open doors.

A single hack may only result in a few hundred sets of credit card details, but that profiling data is still highly desirable because of its value on the black market. Even if the hacker doesn’t sell or share the data directly, they can use it to set up other accounts online and create false or duplicate identities based on real people - your customers - in order to commit fraud, other crimes or more simplistic disruptive activities.

Be on guard

There are many ways to hack into a website or network - and it won’t always be obvious that an attack has happened - but the most common forms of attack to look out for include:

Phishing / Spear Phishing Hackers will send you an official-looking email purporting to be from one of the sites or apps you might use e.g. PayPal. Or, it may appear to come from one of your own employees who occupies a position of high authority. In the email they will ask you to click on a link or reply to it with a certain piece of sensitive information.

Social Engineering This is where a hacker attempts to gain the confidence of an authorized user of your website or business systems and gets them to reveal information that will enable them to later compromise its security. They might reach out to your employees on social media in and out of working hours or hang around a coffee shop near the office and strike up a leading conversation.

Cross-site Forgery This is where a hacker tricks a legitimate user into giving out access details, usually by email or sending http requests, that will then enable them to exploit the computer or system e.g. modify firewall settings, post unauthorized data on a forum, or carry out fraudulent transactions.

SQL Injection This is where the hacker adds Structured Query Language (SQL) code to a web form input box which then gives them access to your resources or the ability to make changes to the data in your systems. This kind of hack can go undetected and, in certain cases, seriously affect your search rankings.

Malware, Trojan Horses, Viruses, Worms, Spyware These programs contain malicious code, sometimes hidden inside another apparently harmless looking program. When activated, they gain control of your computer and can delete or amend files, secretly capture your login details for other websites, or conduct other disruptive activities without you being aware.

Drive-by Downloads This is where a person visits a web page and a piece of malware is downloaded without their knowledge or even deliberately clicking anything. That malware may then allow other types of hacking to take place.

Capturing, storing and transmitting data through your business systems is a risk you can’t avoid. But it is a risk you can manage. The greater risk is assuming you won’t be a target because you think your business has nothing to offer a hacker.

Risk analysis

You may not store any customer credit card details on your server, but your website can still be defaced or taken offline for other reasons. If that happens it could:

Stop orders coming through.

Cause a loss of customer confidence in your site’s security, brand or reputation.

Cause customers to log on to a competitor’s site.

An emerging trend in the security industry is to think of your business as being in a constant state of compromise and flux.

This isn’t as pessimistic or alarming as it sounds. It’s actually more a pragmatic and realistically-minded recognition that, rather than trying to predict and defend against all possible attacks at all possible times (which is extremely resource intensive and costly), it is better to accept that a certain amount of compromise is always likely.

With that in mind, you can then maximise and allocate whatever resources are available in tackling the most virulent and prevalent attacks. This represents a constructive and helpful shift in attitude. It doesn’t mean that small businesses accept defeat or ignore the risks; it means you accept that you can’t always foresee every attack and instead you take steps to minimise the related impact.

In a short amount of time, by carrying out a few straight forward measures coupled with some fine-tuning, you can easily raise your level of security against the most common threats without it costing your business the earth. Take your time to consider them.

The best security policies start with the individual. If every staff member is well drilled in the subject of protective steps and security measures, the chain is immediately reinforced at every link.

Protective steps

The first thing you and your staff can do is to use strong password creation processes.

The second important means of defense is to keep your passwords strong! You can put your business in a good position do this by:

Limiting how many people have access to your systems.

Changing your passwords regularly, at least once a month is good.

Not using the same password for multiple accounts.

Not writing down your passwords and leaving them near your PC for ‘frenemies’ to find and misuse.

Check Yourself! Defeating or deterring the hackers doesn’t stop at strong passwords. These simple checks will help ensure your IT security is in good shape:

Check your Firewall and AntiVirus Are they both up to date? Are the right settings applied? Do this for every device in your network. Leave nothing out of date and no stone unturned.

Check your Backups Running a daily backup means you can restore everything to a recent point in the past, limiting the loss and helping you recover as quickly as possible if you are hacked.

Check your Code Assuming you do not have the appropriate internal resources, invite an IT professional to scan your systems and perform a penetration test to confirm that the coding and hosting of your website is both robust and free of common errors.

You may need to invest in an SSL certificate too but this isn’t expensive.

If you are unlucky enough to be hacked, knowing how to respond and what steps to take first could make all the difference. It proves to your customers that you are taking the problem seriously and reacting to their concerns and needs.

But what if...

Focus At this point you need to quickly understand what has happened, the impact it is having, the consequences, and how to fix it. This is not the time to go looking for a scapegoat, it is time for careful and considered action.

Be cautious Don’t dive in straight away and try to fix it yourself because you might make things worse, or disturb important evidence. Only fix it if you are absolutely certain you have the skills, tools, knowledge and authority.

Call in an expert Yes it might cost you, but think of how much more it could cost if you cannot fix things quickly or in the right way: a loss of sales, reputation, or of loyal customers. Can you afford that?

Tell your customers When you know what happened and how it affects your customers, tell them. Be open, upfront and honest. Your reputation is just as important as your sales. Ask them to change their password if they have an online account with you.

Upgrade and update If you were hacked because of outdated software or hardware then this is the time to invest in equipment better suited to today’s threats.

Stay vigilantKeep an eye open for news about the latest hacks, even if they happened to a large company or government. The same flaw may exist in your software, hardware, website or network. Find out what the cause was and figure out if it applies to you. If you’re not sure, call in an expert.

Hackers want what you don’t want them to have and will continue to look for ways to get hold of it. Whose will is the stronger and whose technology will falter first?

You don’t have to leave it to chance, you can improve your security and protect your business.